Methods to Reduce Vulnerabilities in Agile Development | CompTIA CASP+ Exam
Question
A software development manager is running a project using agile development methods.
The company cybersecurity engineer has noticed a high number of vulnerabilities have been making it into production code on the project.
Which of the following methods could be used in addition to an integrated development environment to reduce the severity of the issue?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Agile development methods prioritize flexibility and collaboration throughout the software development lifecycle (SDLC). However, due to the iterative and collaborative nature of agile development, it is possible that vulnerabilities may slip through the cracks during the development process. To address this issue, the software development manager could incorporate additional methods to reduce the severity of vulnerabilities that make it into production code.
Option A, conducting a penetration test on each function as it is developed, is a useful method to identify vulnerabilities during the development process. Penetration testing involves simulating an attacker's methods and techniques to find security weaknesses. By testing each function as it is developed, vulnerabilities can be detected and addressed early in the development process, reducing the severity of issues that make it into production code.
Option B, developing a set of basic checks for common coding errors, is another useful method for reducing vulnerabilities in the code. These checks can include basic security measures such as input validation, boundary checks, and authentication checks. By implementing these checks throughout the development process, vulnerabilities can be identified and addressed before the code reaches production.
Option C, adopting a waterfall method of software development, is not a recommended solution to address vulnerabilities in agile development. Waterfall is a linear approach to software development, where each phase must be completed before moving on to the next. This approach is less flexible and collaborative than agile, and vulnerabilities may still make it into production code despite the sequential nature of the development process.
Option D, implementing unit tests that incorporate static code analyzers, is another useful method for reducing vulnerabilities in code. Unit tests involve testing individual units or components of the software, while static code analyzers analyze the code for potential issues such as memory leaks or buffer overflows. By implementing unit tests that incorporate static code analyzers, vulnerabilities can be identified and addressed early in the development process.
In conclusion, Option A (conducting penetration tests on each function) and Option D (implementing unit tests that incorporate static code analyzers) are the most effective methods for reducing the severity of vulnerabilities that make it into production code in an agile development environment. Option B (developing a set of basic checks for common coding errors) can also be useful but may not catch all vulnerabilities. Option C (adopting a waterfall method of software development) is not recommended as it is less flexible and collaborative than agile development.
